Shalyn Watkins of Holland & Knight writes: For most healthcare providers and businesses, signing a Business Associate Agreement (BAA) is a standard practice. When contracting to provide services with an entity governed by the Health Insurance Portability and Accountability Act (HIPAA), it is a requirement that the entity enter into a business associate contract, also…
National Public Data Published Its Own Passwords
Brian Krebs reports: New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its…
How many times has Carespring Health Management been attacked since last year? (1)
In October 2023, Carespring Health Care Management was the victim of a ransomware attack. It was not announced on its website, but in November, Carespring was listed on the NoEscape ransomware gang’s site. At the time, the threat actors claimed they had encrypted Carespring’s files and exfiltrated 364 GB of files. The incident never appeared…
National Public Data reports highly publicized breach affected a total 1.3 million people
There has been a lot of publicity about a breach and then leak of data from National Public Data. Some early reports erroneously claimed that 2.9 billion people were affected. Other sources noted more accurately noted that 2.9 billion was the number of records and not the number of unique individuals. In its disclosure to…
CFIUS Fines T-Mobile $60 Million Over Unauthorized Data Access and Breach Response
Hunton Andrews Kurth writes: On August 14, 2024, the Committee on Foreign Investment in the United States (“CFIUS”) disclosed that it had assessed a $60 million penalty against T-Mobile US, Inc. (“T-Mobile”) in connection with unauthorized data access incidents following T-Mobile’s 2020 merger (the “Merger”) with Sprint Corporation (“Sprint”). CFIUS is a U.S. government interagency…
Ransom campaign hits cloud servers
Catalin Cimpanu reports: A threat actor is hacking and extorting companies that have misconfigured their cloud server infrastructure. The data extortion campaign has been taking place since earlier this year and involves a large-scale scan of the internet for companies that have exposed their environment variable files. Also known as .ENV, these files act as…